1 |
Sven Vermeulen <swift@g.o> Monday 22 of August 2011 19:11:38 |
2 |
> On Mon, Aug 22, 2011 at 03:18:16PM +0000, Sven Vermeulen wrote: |
3 |
> > What you are suggesting (label init script) is exactly what I was talking |
4 |
> > about: instead of having the init scripts labeled initrc_exec_t, they |
5 |
> > should be labeled like slapd_initrc_exec_t, postfix_initrc_exec_t, ... |
6 |
> > and Gentoo's integrated run_init support, which by the policy is |
7 |
> > currently only working on initrc_exec_t, should support those too. |
8 |
> |
9 |
> I guess that won't be happening soon. |
10 |
> |
11 |
> When an administrative interface is granted to a domain/role (like |
12 |
> ldap_admin) then a role transition to system_r is automatically granted |
13 |
> when a transition occurs on the domain-specific initrc script (like |
14 |
> slapd_initrc_exec_t). In case of integrated run_init support, this would |
15 |
> create a context root:system_r:run_init_t, which is invalid. |
16 |
> |
17 |
> Removing the role transition in all administrative interfaces is imo a |
18 |
> no-go as that would mean lots of work and maintenance. |
19 |
> |
20 |
> Oh well, it was fun to try... |
21 |
> |
22 |
> Wkr, |
23 |
> Sven Vermeulen |
24 |
Maybe better idea will be to move one level upper and instead of working with |
25 |
domain templates we should create role templates. I generally like idea of |
26 |
roles, and I think it may be nice solution that administrator may give someone |
27 |
dba_admin role. |
28 |
|
29 |
So templates should not only create domains, but roles too. |
30 |
|
31 |
I may try to write few such templates. |
32 |
|
33 |
Regards, |
34 |
Radek |